Re: [PATCH] ima: setting security.ima to fix security.evm for a file with IMA signature

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Mimi Zohar <zohar@linux.ibm.com>
To: Coiby Xu <coxu@redhat.com>, linux-integrity@vger.kernel.org
Cc: Roberto Sassu <roberto.sassu@huawei.com>,
	Dmitry Kasatkin	 <dmitry.kasatkin@gmail.com>,
	Eric Snowberg <eric.snowberg@oracle.com>,
	Paul Moore <paul@paul-moore.com>,
	James Morris <jmorris@namei.org>,
	"Serge E. Hallyn"	 <serge@hallyn.com>,
	"open list:SECURITY SUBSYSTEM"	
	<linux-security-module@vger.kernel.org>,
	open list	 <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] ima: setting security.ima to fix security.evm for a file with IMA signature
Date: Tue, 09 Sep 2025 11:31:20 -0400	[thread overview]
Message-ID: <5aeecf1aa6eff8ae0ea0a9e95d5df79aee338b32.camel@linux.ibm.com> (raw)
In-Reply-To: <20250909041954.1626914-1-coxu@redhat.com>

On Tue, 2025-09-09 at 12:19 +0800, Coiby Xu wrote:
> When both IMA and EVM fix modes are enabled, accessing a file with IMA
> signature won't cause security.evm to be fixed. But this doesn't happen
> to a file with correct IMA hash already set because accessing it will
> cause setting security.ima again which triggers fixing security.evm
> thanks to security_inode_post_setxattr->evm_update_evmxattr.
> 
> Let's use the same mechanism to fix security.evm for a file with IMA
> signature.
> 
> Signed-off-by: Coiby Xu <coxu@redhat.com>

Agreed, re-writing the file signature stored as security.ima would force
security.evm to be updated.

Unfortunately, I'm missing something. ima_appraise_measurement() first verifies
the existing security.evm xattr, before verifying the security.ima xattr.  If
the EVM HMAC fails to verify, it immediately exits ima_appraise_measurement(). 
security.ima in this case is never verified.

This patch seems to address the case where the existing security.evm is valid,
but the file signature stored in security.ima is invalid.  (To get to the new
code, the "status" flag is not INTEGRITY_PASS.)  Re-writing the same invalid
file signature would solve an invalid security.evm, but not an invalid IMA file
signature.  What am I missing?

thanks,

Mimi

> ---
>  security/integrity/ima/ima_appraise.c | 27 +++++++++++++++++++++------
>  1 file changed, 21 insertions(+), 6 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index f435eff4667f..18c3907c5e44 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -595,12 +595,27 @@ int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
>  		integrity_audit_msg(audit_msgno, inode, filename,
>  				    op, cause, rc, 0);
>  	} else if (status != INTEGRITY_PASS) {
> -		/* Fix mode, but don't replace file signatures. */
> -		if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig &&
> -		    (!xattr_value ||
> -		     xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
> -			if (!ima_fix_xattr(dentry, iint))
> -				status = INTEGRITY_PASS;
> +		/*
> +		 * Fix mode, but don't replace file signatures.
> +		 *
> +		 * When EVM fix mode is also enabled, security.evm will be
> +		 * fixed automatically when security.ima is set because of
> +		 * security_inode_post_setxattr->evm_update_evmxattr.
> +		 */
> +		if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig) {
> +			if (!xattr_value ||
> +			    xattr_value->type != EVM_IMA_XATTR_DIGSIG) {
> +				if (ima_fix_xattr(dentry, iint))
> +					status = INTEGRITY_PASS;
> +			} else if (xattr_value->type == EVM_IMA_XATTR_DIGSIG &&
> +				   evm_revalidate_status(XATTR_NAME_IMA)) {
> +				if (!__vfs_setxattr_noperm(&nop_mnt_idmap,
> +							   dentry,
> +							   XATTR_NAME_IMA,
> +							   xattr_value,
> +							   xattr_len, 0))
> +					status = INTEGRITY_PASS;
> +			}
>  		}
>  
>  		/*
> 
> base-commit: b320789d6883cc00ac78ce83bccbfe7ed58afcf0

next prev parent reply	other threads:[~2025-09-09 15:31 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-09  4:19 [PATCH] ima: setting security.ima to fix security.evm for a file with IMA signature Coiby Xu
2025-09-09 15:31 ` Mimi Zohar [this message]
2025-09-10  1:20   ` Coiby Xu
2025-09-10 11:15     ` Mimi Zohar
2025-09-30  2:31       ` Coiby Xu
2025-09-15 21:05     ` Mimi Zohar
2025-09-24  8:03       ` Coiby Xu
2025-09-25  3:27         ` Mimi Zohar
2025-09-30  2:28           ` Coiby Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5aeecf1aa6eff8ae0ea0a9e95d5df79aee338b32.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=coxu@redhat.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=eric.snowberg@oracle.com \
    --cc=jmorris@namei.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=roberto.sassu@huawei.com \
    --cc=serge@hallyn.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).